To start with, you'll need OpenSSL.
Compilation and installation follow the usual methods. It's worth while to
note that the default installs everything in
No need to change this (unless you want to).
After you have this installed, you may want to edit the OpenSSL
configuration file with the information for your site so you have
pleasant defaults when creating and signing certificates. You'll find this
/usr/local/ssl/openssl.cnf in the section
req_distinguished_name Here you can set the defaults (denoted
_default appended to the variable name). Any settings
that do not have a default, such as
localityName can have one
set by appending
_default. In this case you'd set
Now, we move on to creating a private Certificate Authority (CA). First, some explanation. The CA is used in SSL to verify the authenticity of a given certificate. The CA acts as a trusted third party who has authenticated the user of the signed certificate as being who they say. The certificate is signed by the CA, and if the client trusts the CA, it will trust your certificate. For use within your organization, a private CA will probably serve your needs. However, if you intend use your certificates for a public service, you should probably obtain a certificate from a known CA.
In addition to identification, your certificate is also used for encryption. If you're thinking a certificate sounds similar to a PGP key, you're right. They use many of the same methods. Something else PGP and SSL have in common is the RSA encryption algorithm, which is patented. This patent expires in September of 2000, so after that you'll be free to use tools with the RSA algorithm (like OpenSSL). Until that time, to legally use RSA you need a license. RSA Data Security usually allows non-commercial use of the RSA algorithm for academic purposes.
CA.plthat does the same stuff). This hides all the gruesome details of how this works. Without the script this is a very annoying process.
newcert.pem. If you are going to create more, you should rename this or it will be overwritten be subsequent signatures.
openssl pkcs12 -export -in certs.pem -inkey certs.key -out file.p12 -name "Client Certificate"
Back to main page